The release of the CoreBoot 4.17 project has been published, within which a free alternative to proprietary firmware and BIOS is being developed.
Since the release of version 4.16, there have been more than 1300 new commits from around 150 contributors. Of those people, approximately 15 were first-time filers.
Main new features of CoreBoot 4.17
In this new version that is presented, we can find that TIS functions added (TPM Interface Specification) vendor-specific to read and write directly from the TPM (Trusted Platform Module) registers: tis_vendor_read() and tis_vendor_write().
Another change that stands out is that the support for intercepting pointer dereferences null through debug logs and that in addition i2c device detection has been implemented to facilitate work with lacquers equipped with touchpads or touch screens from different manufacturers.
Besides that, It is noted that the ability to save time data in a format was added. suitable for generating FlameGraph charts that clearly demonstrate how much time is spent on the different stages of the release.
Added an option to the cbmem utility to add time from userspace to cbmem's "timestamp" table, which makes it possible to reflect events in cbmem on stages executed after CoreBoot.
The built-in ability to generate static memory page tables from assembler files, without the need to call third-party utilities.
On the other hand, it is also highlighted that fixed a vulnerability (CVE-2022-29264) manifested in CoreBoot versions 4.13 through 4.16 and it allowed systems with AP (Application Processor) to execute code at the SMM (System Management Mode) level, which has a higher priority (Ring -2) than hypervisor mode and protection ring zero, and to have unlimited access to all memory. The problem is caused by an incorrect call to the SMI handler in the smm_module_loader module.
Of the others changes that stand out from this new version:
- Allowed writing debug information to the CBMEMC console from SMI handlers when using DEBUG_SMI.
- The CBMEM initialization handler system has been changed, instead of *_CBMEM_INIT_HOOK handlers linked to stages, two handlers are proposed: CBMEM_CREATION_HOOK (used in the initial stage that creates cbmem) and CBMEM_READY_HOOK (used in any stage where cbmem has already been created) .
- Added support for PSB (Platform Secure Boot), activated by the PSP (Platform Security Processor) to verify the integrity of the BIOS using digital signature.
- Added own implementation of debug data handler passed from FSP (FSP Debug Handler).
- Added support for 12 motherboards, 5 of which are used in Chrome OS devices or Google servers:
Clevo L140MU / L141MU / L142MU
Dell Precision T1650
HP Z220 CMT Workstation
Star Labs LabTop Mk III (i7-8550u), LabTop Mk IV (i3-10110U, i7-10710U), Lite Mk III (N5000), and Lite Mk IV (N5030).
- Removed support for Google Deltan and Deltaur motherboards.
- Added a new coreDOOM payload, which allows you to run a DOOM game from Coreboot.
- The project uses doomgeneric code ported to libpayload.
- Coreboot's linear framebuffer is used for output and WAD files with game assets are loaded from CBFS.
- Updated payload components SeaBIOS 1.16.0 and iPXE 2022.1.
- Added SeaGRUB mode (GRUB2 over SeaBIOS), which allows GRUB2 to use SeaBIOS-provided callbacks, for example, to access machines that the GRUB2 payload does not have access to.
- Added protection against the SinkHole attack, which allows you to execute code at the SMM (System Administration Mode) level.
Additionally, we can point out the publication by OSFF (Open-Source Firmware Foundation) in an open letter to Intel, in which proposes to modularize firmware support packages (FSP, Firmware Support Package) and start publishing documentation related to Intel SoC initialization.
The lack of FSP code makes it very difficult to build open firmware and makes it difficult for the Coreboot, U-Boot, and LinuxBoot projects to progress on Intel hardware. Previously, a similar initiative was successful and Intel open sourced the community-requested PSE (Programmable Services Engine) firmware.
Finally if you are interested in knowing more about it, you can check the details In the following link.